stackpeek
← back to leaderboard

audit report

Calendly

https://calendly.com · scheduling

warn
scanned 2026-04-16 23:32:03 utc permalink · /audit/calendly

Calendly's privacy policy is substantively transparent about its data practices, disclosing collection of PII, third-party sharing, cookies, analytics, and advertising. Observed tech stack (Google Tag Manager, Contentful CDN, Navattic embed) aligns with claimed practices. The policy explicitly acknowledges cookies may constitute a "sale" under state privacy laws and provides user rights including opt-outs. No major mismatches found between policy claims and observed behavior.

claim vs. reality

“we may ask for certain Personal Data, such as your name, email address, and phone number”

— Calendly privacy policy

observed · html 

Google Tag Manager

findings

  1. warn

    Observed vendors not named in policy

    The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager.

    
            Google Tag Manager
    how we detected this →
  2. note

    Google Tag Manager loaded (tag_manager)

    Observed 1 time(s) on the page.

    
            link preload: https://www.googletagmanager.com/gtm.js?id=GTM-W3RGHP8
    how we detected this →
  3. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →
  4. note

    Cloudflare Bot Management cookie without explicit disclosure

    The __cf_bm cookie (Cloudflare Bot Management) is set on the page, but the privacy policy does not explicitly mention Cloudflare or bot management services. While bot management is a legitimate infrastructure practice, Calendly does not disclose this cookie's purpose or presence.

    
            Cookie '__cf_bm' observed in cookies_set
Policy lists Google Analytics, Clearbit, Facebook, MNTN, and Google Inc as named third parties but does not mention Cloudflare
    how we detected this →
  5. note

    Navattic embed loaded but not mentioned in named third parties

    Navattic (an interactive product demo platform) is loaded as an embed on the homepage, but is not listed among the named third-party service providers in the privacy policy's disclosed list. This appears to be a platform preview/demo tool, but the lack of explicit mention could obscure what data flows to this vendor.

    
            navattic.com detected with 1 hit in third_parties
Named third parties list: Google Analytics, Clearbit, Facebook, MNTN, Google Inc — Navattic not included
    how we detected this →
  6. info

    No Content Security Policy detected

    While HSTS is enabled, Calendly does not implement a Content Security Policy (CSP). This reduces protection against certain injection attacks and provides less visibility/control over which domains can load resources. Not a direct policy violation but a security posture note.

    
            has_csp: false
has_hsts: true
    how we detected this →

third parties observed

vendor domain category hits disclosure
Google Tag Manager googletagmanager.com tag_manager 1 not named
Contentful CDN ctfassets.net cdn 54 not named
Navattic navattic.com embed 1 not named

policy claims

source · https://calendly.com/legal/privacy-notice

collects pii
yes
shares 3p
yes
sells data
yes
cookies
yes
analytics
yes
advertising
yes

named third parties (5)

Google Analytics, Clearbit, Facebook, MNTN, Google Inc

retention

Calendly retains Personal Data for so long as reasonably necessary to fulfill collection purposes, perform contractual and legal obligations, and for applicable statute of limitations periods. The policy does not specify fixed retention timelines for different data categories.

user rights

Users can access and update account information, opt out of promotional emails, manage cookie preferences, and request access, correction, deletion, and data portability of their Personal Data. Users may also opt out of sales/sharing of data and targeted advertising. California residents have additional rights under CCPA. EU/UK residents can lodge complaints with data protection authorities.

response headers

hsts
yes
csp
no
server
cloudflare

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://calendly.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://calendly.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://calendly.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.